“out-of-office” a privacy risk?
As a child, I was taught that it is never appropriate to answer the phone and say that your parents weren’t at home. They were either “in the shower” or “in the middle of something.” This was because you didn’t want evil people to know that you were home alone. Similarly, we were also taught not to make an answering machine message that said “we’re not home right now.” (Then again, how many burglars are so stupid as to not realize it doesn’t really matter what the message says?)
Now in corporate America, out-of-office email messages are very common and frequently include when the person in question will return as well as the reason for being out of the office. Personally, I even have information in my signature about where and when I will be traveling (and will be removing shortly). The following post on a privacy mailing list by the chief privacy officer at a major securities/investment banking firm has made me think about the benefits of providing that information to encourage local client interaction vs. the cost of personally providing too much information. Given your line of business, where do you draw the line? Do you tell everyone in your out-of-office why you’re gone and when you’ll be returning?
We’ve considered this and weighed the customer service aspect of letting people know whether/when you will be able to respond versus 2 other points:
1. A detailed out-of-office message could pose some personal risk to your employee in that if it states they are out for an extended period it is likely that this makes the employee’s home a good target for a criminal/burglar (not to mention increasing the risk if some family members – children – did not join the vacation and are still at home).
2. If you’re along the critical path of a financial transaction (e.g., wire transfer, etc.), this could signal a criminal that this is now a good place to start social engineering under the assumption that the replacementee is possibly less skilled/qualified in handling the particular transaction.
As such, we’ve now recommended that ‘out-of-office’ messages be very generic in nature along the lines of "I am unable to respond to your email at this time. If you need assistance, please call XXXXX."